Usenix LEET 2012: Observations on Emerging Threats

I presented Trend Micro’s Threat Research groups observations on Tuesday (24 April 2012) at Usenix LEET 2012 in San Jose, California. This was an invited industry position paper, so it was not a difficult task for me to collect several observations from my team which reflect significant developments in the current threat landscape, submit a position paper, and subsequently present the rationale for those observations.

Trend Micro’s Threat Research group is specially tasked with looking forward on the threat landscape and working with technology and/or various product development groups inside the company to ensure that, as a company, we deliver the appropriate security solutions to address emerging threats to our customers. To accomplish this requires our threat research group to understand, explore, and deconstruct various malicious technologies, campaigns, vulnerabilities, and exploits which are currently being perpetrated on victims today.

Our esteemed director, Martin Roesler, likes to compare us to Army Scouts — we go out ahead of the troops to assess enemy troop strength, location, capabilities, etc., so that our commanders can formulate an effective battle plan.

Briefly, I’d like to share the highlights of these emerging threats observations here. These issues represent what we consider to be significant developments on the emerging threats landscape, warranting mention insofar as the threat they represent from a security perspective.

Evolution, Commoditization, Professionalism of Exploit Kits

Exploit kits, such as the ever-popular Black Hole Exploit Kit, have skyrocketed in both popularity and volume as the “weapon of choice”. We observe that this phenomena has served to increase the attack surface enormously for victimization, and see this trend increasing. The ongoing life-cycle support and development factors, and the fact that these these kits have become commoditized (being bought, sold, and bartered in the criminal underground) indicate that we will see a continual use of them by cybercriminals.

Increasing Sophistication of Traffic Direction Systems (TDS)

Traffic Direction Systems (TDS) are used to (as the name implies) direct victim traffic to various landing pages, such as exploit kits, Rogue AV, fake pharmaceuticals, etc., depending on the pay-per-click or pay-per-install campaign, in essence to track traffic, browser referrers, affiliate campaigns, and manage the monetization of these campaigns. They are quite efficient and useful for the groups using them (from a “business” perspective) and we see that these TDS systems, like the popular Sutra TDS, growing in usage and popularity.

Smaller, Diversified Botnets

We are also seeing that cybercriminals are shifting to smaller, more diversified botnets as opposed to larger, more monolithic botnets simply to avoid losing all their infrastructure due to a “take-down”, whether it be simply a domain registrar suspending domains involved in the campaign, disconnection of communication services, or law enforcement seizure of assets. This follows the “all your eggs in one basket” rule-of-thumb, and cybercriminals are simply moving to blend with the noise as much as possible. It stands to reason that it is much harder to take-down 600 botnets of 1,000 bots each than it it is to take-down one botnet of 600,000 bots.

Modularization

Modularization is a phenomena we are seeing especially with Banking Trojans such as ZeuS, SpyEye, Carberp, etc., wherein special-purpose plug-ins are being developed which can be “snapped in” at will. For example, plug-ins for screen-grabbers, back-connects, web injects, etc., allow simplified feature sets to purchased and used individually. This further commoditizes specialized Trojans and creates a market for specialized crime. We are already seeing this development elsewhere in the threat landscape with exploit kits, so there is reason to believe that this an area of concern which needs to be monitored.

Evolution of Mobile Threats

Regardless of the sheer numbers of mobile threats appearing currently on various marketplaces, for the most part we see most of these are simply “proof-of-concept” – while they may indeed be malicious, steal victim information, hijack accounts, send premium SMS, and so on, they do not reflect what we consider to be “significant crime” at this point – there is no real concerted effort to target e-commerce or banking applications. We expect that to change dramatically with the next generation of handsets that fully support NFC (Near Field Communications) functionality in firmware, when a dramatically much larger percentage of the consumer market will begin to adopt more e-commerce and financial applications. Once there is significant profit to be made, we expect a much larger, more serious targeting of the mobile landscape by “professional” cybercriminals.

Continued Exploitation of Social Networks

Let’s face it – social networks are the “low-hanging fruit” for cybercriminals. People are often foolish on social networking sites – they post too much personal information, are easily fooled into clicking on booby-trapped links, and are easily socially-engineered. We really have no expectation that this will change. The human is always the weakest link in t he security chain.

Critical Infrastructure Attacks

This is an area where we have tried to remain rational, and not contribute to the fearful rhetoric and hype. Having said that, we are learning that networks which could be considered “Critical Infrastructure” are run by private companies which do not always make the best operational security decisions, may lack a proper security posture, and provide an excess of opportunity for attackers. Unfortunately, many of these organizations are sitting ducks for unauthorized access, or worse – and we have seen several utilities around the world already be penetrated by attackers and we fully expect to see additional incidents manifest themselves in the near future.

HTML5 “Exploitation”

More widespread adoption of HTML5 facilitates a new “homogenous” surface for attackers. Whereas “corner case” exploitation using JavaScript, web sockets, cross-site scripting and cross-site request forgery, JAVA, and other seemingly stand-alone exploit technologies exists today, HTML5 brings all of them under a common exploitation umbrella. HTML5 also allows for browser exploitation regardless of the underlying operation system, allowing for possible browser-based botnets. See also my colleague Bob McArdle’s most excellent three-part blog series on “HTML5: The Good, The Bad, and The Ugly”.

More Data Breaches via Targeted Attacks (APT)

Targeted attacks (or APTs if you wish) work because, again, social-engineering works. And apparently it does not have to be very sophisticated to work really well, or at least that is one of our observations. This is also one of the main origins of data breaches, stolen information, trade secrets, source code, etc., and this is now the world we live in. We fully expect these attacks to continue, and in fact escalate.

“Hard-to-Reach” Relocation of Criminal Activity

Smart cybercriminals, we have observed, know how to maximize their window of opportunity. They know which domain registrars (or resellers) let them “push the envelope” on their behavior or are slow or resistant to respond to abuse requests. They know which hosting provider (or reseller) has a history of not responding to abuse requests or will turn a blind eye for a few extra dollars. They know how to blend in with the noise, and locate or engineer their “services” in ways that help them maximize their operational lifetime. We have seen this manifest itself in may ways, especially in Eastern Europe, but also in smaller, “fly-by-night” hosting providers in North America and Western Europe. This also includes moving them to emerging markets where any effective remediation organizations exist (e.g. National or Regional CERT, etc.), so in essence, there is no one to actually complain to. For example, in the past 6-9 months, there have been several transoceanic communications cables pulled into the continent of Africa, which will eventually open up a whole new market of Internet services to the continent’s population. Most of it will probably be mobile in nature, but the infrastructure and hosting will still be terrestrial, and while this is a great thing, it is important to ensure that a framework for handling cybercrime and incident response is also put into place in parallel.

Summary

These are just a few of the notable “emerging threats” that we have observed, and this is certainly not an exhaustive list. And some of these are not necessarily very technical in nature, which makes then even more troublesome – cybercrime generally takes the path of least resistance (why do something difficult when you can do something much easier?), and for the most part they are just taking advantage of operational failures, user naivete, and poor security posture.

We all must do better.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: